b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\nThe Department of Energy\'s Audit\nResolution and Follow-up Process\n\n\n\n\nDOE/IG-0840                      September 2010\n\x0c                                Department of Energy\n                                  Washington, DC 20585\n\n                                     September 23, 2010\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                     Gregory H. Friedman\n                          Inspector General\n\nSUBJECT:                  INFORMATION: Audit Report on "The Department of\n                          Energy\'s Audit Resolution and Follow-up Process"\n\nBACKGROUND\n\nThe Department of Energy\'s audit resolution and follow-up process provides an important\nmechanism for assisting management in improving the performance of the Department\nand its programs. Over the last 5 years, the Office of Inspector General (OIG) has\ncompleted over 350 audits, which included recommendations for corrective actions or\nimprovements in programs, operations, and management functions. Ensuring that these\nrecommendations are addressed and resolved timely is a critical component of the audit\nprocess. With this goal in mind, Department Order 224.3, Audit Resolution and Follow-\nup Program, generally requires that audit reports and all associated recommendations be\nclosed within one year and that management officials certify that corrective actions have\nbeen completed and that they are effective prior to closure.\n\nIn May 2007, the OIG performed a review of The Department\'s Audit Resolution and\nFollow-up Process (DOE/IG-0766). During that effort we noted that in some cases,\nagreed-upon recommendations had been closed despite the fact that corrective actions\nwere not always complete or effective. In response to the 2007 report, management\nofficials agreed to issue guidance reemphasizing audit resolution and requirements to\nperform periodic follow-up activities to help ensure that corrective actions are effective.\nWe initiated this audit to determine whether the Department had corrected previous\nproblems with the audit resolution and follow-up process and whether related issues\nidentified through recent audits had been resolved.\n\nRESULTS OF AUDIT\n\nThe Department\'s audit follow-up process had been improved. Yet, we found that\nadditional efforts are needed to ensure that prompt and effective corrective actions are\ntaken to resolve weaknesses identified by OIG audits. During our review of closed\nrecommendations, we found that corrective actions had either not been completed or had\nnot resolved all of the significant issues outlined in four of the five previously issued audit\nreports that were included in our examination. Specifically, management closed\nrecommendations related to the four reports even though:\n\x0c                                                 2\n\n\n           Five Department sites were still not consistently completing security clearance\n           terminations in a timely manner. Our recent testing revealed that 19 of 104 (18\n           percent) clearances we tested inappropriately remained active for periods of up to\n           4 months after employee departures;\n\n           The Department had not fully developed and implemented policies for managing\n           electronic records or taken action to eliminate duplicative records retention and\n           management systems;\n\n           Sites across the Department had not resolved information technology (IT) systems\n           inventory issues and weaknesses in outdated security plans in a timely manner.\n           This problem was at least partially attributable to the fact that about 39 percent of\n           existing corrective action milestones had missed estimated remediation dates,\n           with many exceeding planned completion dates by at least one year; and,\n\n           The National Nuclear Security Administration (NNSA) did not fully complete the\n           action to establish roles and responsibilities in work-for-others agreements until\n           one year after closing the associated recommendation.\n\nWe also observed that in many cases the Department had not met its established target\nmilestones for audit report closure. Notably, more than half of the 32 audit reports issued\nbetween May 2007 and August 2009, had not met or will not meet the Department\'s one-year\ntarget closure date.\n\nThe cause of the problems in the audit resolution process varied on a case-by-case basis.\nThere were some common elements, however. We noted, for example, that many officials\nconcluded that the available guidance was insufficient and that the effort suffered from\ninadequate monitoring and oversight of the audit resolution and follow-up process. For\nexample, Departmental guidance lacked specificity regarding the criteria, timing, or process\nto be followed in performing and documenting formal audit follow-up assessments. As a\nresult, Departmental elements submitted assurance certifications without always performing\na formal follow-up to assess the efficacy of actions taken. Consequently, the Department had\nnot always realized potential programmatic savings and operational efficiencies that could be\nachieved through a robust audit resolution process. For instance, we identified two open\naudit reports containing unresolved audit recommendations greater than one year old where\nrealization of potential savings of $14 million may be delayed until corrective actions are\ntaken; and, such delays increase the likelihood that the savings may be lost entirely. Beyond\npure financial terms, failure to correct recurring problems such as not terminating security\nclearances or addressing information systems inventory and access control weaknesses could\nalso endanger Department workers and material assets.\n\nWe recognize that some of the audit recommendations involved complex issues, requiring\nsignificant resource investments and coordination, sometimes with external entities. We also\nacknowledge that a great deal of effort has been dedicated to resolving audit issues, resulting\nin the Department\'s reported closure of almost 300 recommendations in the past year. The\nOffice of the Chief Financial Officer (OCFO) recently established a Program Assessment\n\x0c                                               3\n\n\nTeam to improve the Department\'s management of audit findings and recommendations,\nincluding follow-up on key findings and recommendations. It has also established a\nDepartment-wide working group to improve the Departmental Audit Report Tracking System\nand is currently assembling a working group to improve implementation of audit\nrecommendations. These actions are encouraging and should highlight the importance of\nhaving a vigorous audit follow-up system where prompt and effective corrective actions are\ntaken and operational problems resolved. To aid the Department in this area, we have\nprovided several recommendations designed to help ensure that this process is more effective\nand minimize the recurrence of the same or similar findings in the future.\n\nMANAGEMENT COMMENTS\n\nThe Department and NNSA generally expressed a commitment to resolving issues and\nconcerns identified in Audit Reports and improving its resolution and follow-up procedures.\n\nManagement\'s comments are summarized in the body of our report and have been included\nverbatim in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary of Energy\n    Under Secretary for Science\n    Administrator, National Nuclear Security Administration\n    Chief of Staff\n    Chief Financial Officer\n    Acting Chief Information Officer\n\x0cREPORT ON THE DEPARTMENT OF ENERGY\'S AUDIT RESOLUTION\nAND FOLLOW-UP PROCESS\n\n\nTABLE OF\nCONTENTS\n\n\n  Audit Resolution and Follow-up Process\n\n  Details of Finding                                    1\n\n  Recommendations                                       7\n\n  Comments                                              8\n\n\n  Appendices\n\n   1. Objective, Scope, and Methodology                 10\n\n   2. Prior Audit Reports                               12\n\n   3. Management Comments                               16\n\x0cAUDIT RESOLUTION AND FOLLOW-UP PROCESS\n\nAudit Follow-up    Since the issuance of our 2007 report, the Department of Energy\n                   (Department) has taken action to improve its audit resolution and\n                   follow-up process. For example, in October 2007, the Office of\n                   the Chief Financial Officer (OCFO) issued guidance\n                   reemphasizing Department and National Nuclear Security\n                   Administration (NNSA) responsibilities related to audit resolution\n                   and follow-up. The OCFO also adopted a process for requesting\n                   quarterly updates to the Departmental Audit Report Tracking\n                   System (DARTS), including signed Assurance of Effectiveness of\n                   Corrective Actions (assurance certification) for completed\n                   recommendations. In addition, the Department and NNSA have\n                   continued to update target dates in DARTS to track the\n                   implementation and completion of corrective actions.\n\n                   While these process-related efforts have improved administration,\n                   functional weaknesses with the audit resolution process continue to\n                   exist. For example, we found that in many cases:\n                   (1) recommendations from prior reports were closed, but corrective\n                   actions to address the recommendations were not always complete\n                   or effective; and, (2) target milestones established by the\n                   Department for audit report closure were not met, and in a number\n                   of cases, planned corrective actions were significantly overdue.\n\nRecurring Issues   Based on our review of closed recommendations contained in five\n                   previously issued audit reports, we determined that for four of the\n                   reports, corrective actions had not been completed or significant\n                   issues had not been effectively resolved. Our testing revealed that\n                   weaknesses remained in security clearance terminations,\n                   Departmental records retention, work-for-others agreements, and\n                   information technology security.\n\n                                    Security Clearance Terminations\n\n                   An October 2007 report on Selected Aspects of the East Tennessee\n                   Technology Park\'s Security Clearance Retention Process\n                   (DOE/IG-0779) found that security clearances for terminated\n                   employees at the East Tennessee Technology Park (ETTP) were\n                   inappropriately and unnecessarily retained beyond the period\n                   permitted by Departmental policy. In accordance with Department\n                   Order 470.4A, Safeguards and Security Program, the processing\n                   personnel security office must be notified within 2 working days of\n                   when an individual no longer requires an access authorization.\n                   Accordingly, we made recommendations to improve the security\n                   clearance process. Management\'s response to the report indicated\n                   that corrective actions had been completed and, consequently, the\n                   recommendations were closed with the issuance of the audit report.\n\n\n\nPage 1                                                            Details of Finding\n\x0c         However, our recent analysis found that security clearances were\n         not always being terminated in a timely manner at the five sites\n         selected for review. We reviewed a mix of 104 active and\n         terminated security clearances from ETTP, Oak Ridge National\n         Laboratory, Sandia National Laboratories, Los Alamos National\n         Laboratory, and Brookhaven National Laboratory (Brookhaven).\n         One active security clearance at Brookhaven was held open for\n         2 months after an employee quit working and 18 terminated\n         clearances at the other four sites reviewed were processed 1 to\n         4 months late, including 10 of 28 clearances reviewed at ETTP.\n         Failure to terminate these clearances in a timely manner increased\n         the risk that unauthorized individuals could gain access to sensitive\n         sites and information.\n\n                            Work for Others Agreements\n\n         In a September 2007 report on NNSA Construction of a\n         Radiological/Nuclear Complex for Homeland Security (DOE/IG-\n         0775), we recommended that NNSA establish Work for Others\n         (WFO) agreements that specify responsibilities for monitoring\n         contract performance and approving project baselines and changes\n         to cost, scope, and schedule. According to a status of corrective\n         actions entry in the Departmental Audit Report Tracking System\n         (DARTS), NNSA issued draft guidance to its sites in\n         September 2008 that established roles and responsibilities regarding\n         WFO agreements. With that action, NNSA considered the\n         recommendation closed. However, an October 2009 report on\n         Work for Others Performed by the Department of Energy for the\n         Department of Defense (DOE/IG-0829) found that NNSA did not\n         finalize guidance to its site offices on WFO agreements until\n         August 2009 \xe2\x80\x93 after we brought the matter to its attention.\n         According to an NNSA official, the guidance was not finalized\n         pending a Department decision regarding the applicability of\n         June 2008 Office of Management and Budget guidance, as well as\n         an NNSA assessment of its site offices\' execution of the WFO\n         program. Nonetheless, NNSA had closed the recommendation one\n         year prior to fully implementing the corrective action.\n\n                          Information Technology Security\n\n         Both the 2007 and 2008 annual Office of Inspector General (OIG)\n         evaluation reports on The Department\'s Unclassified Cyber\n         Security Program (DOE/IG-0776 and DOE/IG-0801) identified the\n         need for improvements in areas such as systems inventory, access\n         control, and configuration management. According to those\n         reports, these internal control weaknesses existed, at least in part,\n\n\n\nPage 2                                                   Details of Finding\n\x0c         because program officials had not ensured that corrective action\n         tracking plans, known as Plans of Action & Milestones (POA&M),\n         were used effectively. Also, officials had not performed effective\n         management review activities essential for evaluating the adequacy\n         of cyber security performance.\n\n         The 2009 evaluation of The Department\'s Unclassified Cyber\n         Security Program (DOE/IG-0828) reported that the Department\n         continued to make incremental improvements in its unclassified\n         cyber security program and that most sites had taken action to\n         address weaknesses identified in the previous report. However, the\n         2009 evaluation also identified recurring weaknesses at sites\n         managed by NNSA and across various Department program\n         elements. Weaknesses such as outdated security plans and not\n         completing annual security control self-assessments were\n         identified at several sites. Additionally, the Department had not\n         yet resolved systems inventory issues and had yet to deploy a\n         complex-wide automated asset management tool. According to the\n         report, these weaknesses were found at multiple sites because, as in\n         the prior years, Department management had not effectively\n         monitored and reviewed activities essential for evaluating the\n         adequacy of cyber security performance. In some cases, officials\n         had not ensured weaknesses discovered during audits were\n         recorded and tracked to resolution in the organizations\' POA&Ms.\n         Notably, our review revealed that implementation delays continued\n         to exist and that about 39 percent of existing corrective action\n         milestones had missed estimated remediation dates, with many\n         exceeding planned completion dates by at least one year.\n\n                          Departmental Records Retention\n\n         An April 2005 report on The Retention and Management of the\n         Department\'s Records (DOE/IG-0685) recommended that the\n         Department develop and finalize a detailed records management\n         policy to address requirements for storing electronic records,\n         incorporate records management into the system development life-\n         cycle, and develop a corporate solution to eliminate duplicative\n         systems. Our Follow-up Audit on Retention and Management of\n         the Department of Energy\'s Electronic Records (DOE/IG-0838)\n         found that while the Department had taken certain actions in\n         response to recommendations made in the prior report, it was still\n         not adequately managing its electronic records and had taken only\n         limited action to eliminate duplicative record management\n         systems. Specifically, the Department had not fully developed\n\n\n\n\nPage 3                                                  Details of Finding\n\x0c         and/or implemented overall policies for managing electronic\n         records and sites had not implemented records management\n         applications to aid in maintaining and disposing of such records.\n\n                           Timeliness of Closure Actions\n\n         We also found that, in many instances, the Department had not met\n         its established target milestones for audit report closure.\n         Department Order 224.3, Audit Resolution and Follow-up\n         Program, requires that closure of audit reports should generally\n         take no longer than one year after issuance of the final report.\n         However, more than half of the 32 audit reports issued between\n         May 2007 and August 2009 that we reviewed had not met or will\n         not meet the one-year target closure date. Although the\n         Department had been establishing and updating target dates for the\n         completion of the corrective actions and tracking progress in\n         DARTS, six of the eight closed audit reports we reviewed\n         exceeded the one-year deadline. Additionally, more than half of\n         the 24 open reports had already exceeded the one-year target, with\n         6 open in excess of 20 months.\n\n         We recognize that some recommendations may involve corrective\n         actions of a complex or technical nature that require more than a\n         year to bring to a close. We also observed that most of the status\n         updates in DARTS demonstrated that incremental progress was\n         being made toward completion of these corrective actions.\n         However, some Departmental elements significantly exceeded\n         their original estimates for completing corrective actions without\n         providing assurance certifications or closing the reports in\n         accordance with Department Order 224.3, as illustrated by the\n         following examples:\n\n             \xe2\x80\xa2   Beryllium Surface Contamination at the Y-12 National\n                 Security Complex (DOE/IG-0783) was issued in\n                 December 2007 and recommended that the Chief Health,\n                 Safety and Security Officer revise the Department\'s\n                 regulations to require controls, including posting areas\n                 when surface beryllium contamination occurs in non-\n                 operational areas. In March 2008, the Beryllium rule was\n                 being amended with anticipated issuance by the end of\n                 Calendar Year 2009. Subsequent quarterly updates to\n                 DARTS continuously pushed out the completion date. As\n                 of March 2010, the proposed amendments were expected\n                 to be submitted by February 2011, and the final rule issued\n                 by January 2012.\n\n\n\n\nPage 4                                                  Details of Finding\n\x0c         \xe2\x80\xa2   Management of the Department\'s Data Centers at the\n             Contractor Sites (DOE/IG-0803) was issued in October\n             2008 and recommended that NNSA and the Office of\n             Science (Science) provide guidance and require\n             contractors and field sites to monitor server utilization,\n             take advantage of existing server capacity, and consolidate\n             servers, data centers, and common services, where\n             appropriate. As we noted at the time the report was\n             issued, savings available from consolidation of servers at\n             just the sites reviewed could have amounted to as much as\n             $2.3 million per year. The original target closure date for\n             completion of NNSA\'s and Science\'s corrective actions\n             was October 2009, and subsequent DARTS updates\n             indicated that actions were proceeding as scheduled.\n             However, as of March 2010, the target closure dates had\n             been revised to March 2011 for Science and December\n             2012 for NNSA. Science indicated in DARTS that a\n             vacancy in a key management position was the reason for\n             their delay, but there was no explanation for the revision\n             to NNSA\'s target closure date.\n\n         \xe2\x80\xa2   The Department of Energy\'s Management of Contractor\n             Intergovernmental Personnel and Change of Station\n             Assignments (DOE/IG-0761), was issued in March 2007,\n             and recommended NNSA develop guidance for contractor\n             use of Intergovernmental Personnel Act (IPA) and Change\n             of Station (COS) assignments. The report noted the\n             Department incurred about $11.3 million for IPA & COS\n             assignments which either exceeded the 4-year allowable\n             maximum term and/or had excessive relocation\n             allowances. NNSA\'s original estimate to complete\n             corrective actions was December 2007; however, as of\n             February 2010, the guidance had not been issued. DARTS\n             updates showed that the guidance had been pushed back\n             due to scheduling issues and more pressing issues in\n             Headquarters. NNSA is attempting to implement new\n             guidance on IPA and COS assignments by September\n             2010.\n\n         \xe2\x80\xa2   Quality Assurance Standards for the Integrated Control\n             Network at the Hanford Site\'s Waste Treatment Plant\n             (DOE/IG-0764), was issued in May 2007 and\n             recommended Environmental Management ensure that the\n             integrated control network for the plant meets appropriate\n             quality standards for its immobilization of high-level\n             waste functions. The DARTS updates described the\n\n\nPage 5                                              Details of Finding\n\x0c                                   evaluations in progress from December 2007 through\n                                   March 2009 and Environmental Management considered\n                                   the corrective actions complete as of June 2009. The\n                                   assurance certification was signed one year later, but the\n                                   report remains open.\n\nManagement Guidance        Corrective actions taken by Departmental elements were\nand Monitoring             not always complete, effective, or timely because of insufficient\n                           guidance and inadequate monitoring and oversight of the audit\n                           resolution and follow-up process. The OCFO, as the organization\n                           tasked with oversight of the audit follow-up process, issued general\n                           guidance requiring that Departmental elements perform reviews to\n                           ensure corrective actions are effective. However, the guidance\n                           lacked specificity regarding the criteria, timing, or process to be\n                           followed in performing and documenting these formal audit\n                           follow-up assessments. As a result, Departmental elements\n                           submitted assurance certifications without always performing a\n                           formal follow-up to assess the efficacy of actions taken. A number\n                           of NNSA and program officials stated that they believe the policy\n                           did not allow sufficient time to perform an assessment and also\n                           meet the one-year audit closure requirement, since a thorough\n                           effectiveness review should occur after the corrective actions have\n                           had time to take effect. Despite these assertions, the Departmental\n                           elements did not communicate the need for additional time beyond\n                           the one-year closure date to perform the effectiveness reviews in\n                           DARTS or to the OCFO.\n\n                           Although the Department made improvements in reviewing report\n                           recommendations for applicability to other organizations/sites, it\n                           often did not take action to implement corrective actions at\n                           applicable sites/programs other than those specifically mentioned\n                           in the audit reports. We noted that, most of the audit coordinators\n                           did not review OIG audit reports addressing issues in other\n                           programs for applicability to their own program. Those that did,\n                           generally did not require that the site/organization take action or\n                           officially report back on whether or not actions were taken. We\n                           also noted that the OCFO did not perform analyses of recurring\n                           trends in audit findings to determine if broader corrective measures\n                           were warranted.\n\nMaximizing Audit Value Untimely, incomplete, or ineffective resolution of audit\n                       recommendations could prevent the Department from realizing\n                       significant savings or achieving operational efficiencies. For\n                       example, we identified two open audit reports in DARTS over one\n                       year old that contained recommendations that could potentially\n                       achieve $14 million in savings. However, until corrective actions\n\n\n\nPage 6                                                                    Details of Finding\n\x0c                  are taken to address the various report recommendations,\n                  realization of these savings may be delayed or lost. The\n                  recommendations included issuance of guidance emphasizing\n                  stronger controls over temporary personnel transferring between\n                  contractors and other agencies and consolidation of computer\n                  servers.\n\n                  We also noted a number of instances of recurring problems\n                  identified in audit reports we reviewed. Failure to correct these\n                  recurring problems could have significant negative consequences,\n                  to include:\n\n                      \xe2\x80\xa2   Vital national security projects performed for the\n                          Department of Defense may not meet cost estimates and\n                          established performance schedules absent clearly defined\n                          monitoring roles and responsibilities for WFO projects;\n\n                      \xe2\x80\xa2   Failure to improve the timeliness of security clearance\n                          terminations increases the risk of unauthorized access and\n                          malicious damage to Department assets, potentially\n                          endangering the Department\'s workers;\n\n                      \xe2\x80\xa2   Departmental systems and the information they contain\n                          could be subject to unnecessary risk if appropriate actions\n                          are not taken to address information system inventory and\n                          access control issues; and,\n\n                      \xe2\x80\xa2   The Department may not be able to recover necessary\n                          information during crucial events such as litigation of\n                          health, safety, and environmental issues, if ineffective\n                          records management systems are not improved.\n\nRECOMMENDATIONS   To promote consistency throughout the Department, improve\n                  program effectiveness, and ensure that corrective actions taken to\n                  address audit report recommendations are implemented timely and\n                  correct the deficiencies noted, we recommend that the Chief\n                  Financial Officer, in coordination with the Administrator, NNSA,\n                  the Under Secretary of Energy and the Under Secretary for\n                  Science:\n\n                       1. Develop specific guidance which addresses the criteria,\n                          timing, and process to be followed in performing and\n                          documenting formal audit follow-up assessments; and,\n\n\n\n\nPage 7                                                           Recommendations\n\x0c                  2. Review and revise policy and guidance, as appropriate, to\n                     ensure it is realistic and in line with effective audit\n                     resolution and follow-up objectives, including\n                     establishing separate target milestones for the completion\n                     of the various stages of the audit follow-up process.\n\n             In addition, to ensure the adequacy of corrective actions taken to\n             address the recommendations, we recommend that the\n             Administrator, NNSA, the Under Secretary of Energy and the\n             Under Secretary for Science:\n\n                  3. Perform formal audit follow-up assessments in\n                     accordance with Departmental guidance; and,\n\n                  4. Review audit reports to determine applicability at other\n                     sites and ensure that actions are taken to implement\n                     corrective actions at applicable sites/programs other than\n                     those specifically mentioned in the audit reports.\n\nMANAGEMENT   The Department and NNSA concurred with our first three\nREACTION     recommendations and partially concurred with Recommendation 4.\n             Regarding Recommendation 1, the Office of the Chief Financial\n             Officer (OCFO) has convened a working group to develop\n             guidance to address the criteria, timing, and process to be followed\n             in performing and documenting formal audit follow-up\n             assessments. This working group will be responsible for reviewing\n             and revising this guidance, as necessary, and establishing separate\n             target milestones for the completion of the various stages of the\n             audit follow-up process in accordance with Recommendation 2. In\n             response to Recommendation 3, Departmental Management agreed\n             to conduct follow-up reviews for high-risk audits, while NNSA\n             agreed to look at ways to perform audit follow-up assessments, and\n             validate corrective actions and effectiveness of those actions.\n             However, regarding Recommendation 4, Management believes\n             that current procedures satisfy the intent of the recommendation.\n             Specifically, OCFO responded that Departmental audit\n             coordinators currently review the weekly reports and other\n             notifications issued by the OCFO for findings relevant to their sites\n             and programs which may result in self-initiated reviews. For this\n             reason, they do not plan to institute a formal follow-up and\n             resolution process for offices not included in the original audit\n             scope. Similarly, NNSA believes it is the responsibility of each\n             Site/Program Manager to decide if that particular action needs to\n             be taken at their site/program; however, they disagree that\n             corrective actions should be taken if it [the recommendation] is not\n             scope.\n\n\n\nPage 8                                    Recommendations and Comments\n\x0cAUDITOR    For the most part, we consider Management\'s responses and\nCOMMENTS   planned actions sufficient to meet the intent of our\n           recommendations. We agree with NNSA, that each Site/Program\n           Manager should decide if that particular action needs to be taken at\n           their site/program. The planned actions appear to be consistent\n           with Department Order 224, which requires each Departmental\n           organization to review audit report findings and recommendations\n           assigned to other organizations for applicability and to determine\n           whether actions need to be taken to resolve the issues identified.\n\n\n\n\nPage 9                                                            Comments\n\x0cAppendix 1\n\nOBJECTIVE     The objective of this audit was to determine whether the\n              Department of Energy (Department) had corrected previously\n              reported problems with the audit resolution and follow-up process\n              and whether related issues identified through recent audits had\n              been resolved.\n\nSCOPE         The audit was performed between August 2009 and April 2010.\n              We conducted work at Departmental Headquarters and obtained\n              information from Oak Ridge National Laboratory in Oak Ridge,\n              Tennessee; Sandia National Laboratories in Livermore, California;\n              Brookhaven National Laboratory in Upton, New York; Los\n              Alamos National Laboratory located in Los Alamos, New Mexico;\n              and, Lawrence Livermore National Laboratory at Livermore,\n              California; the Y-12 National Security Complex in Oak Ridge,\n              Tennessee; the East Tennessee Technology Park in Oak Ridge,\n              Tennessee; the Savannah River Site Office in Aiken, South\n              Carolina; and, the Nevada, Kansas City, and Pantex Site Offices in\n              Las Vegas, Nevada; Kansas City, Missouri; and Amarillo, Texas,\n              respectively.\n\nMETHODOLOGY   To accomplish the audit objective, we:\n                  \xe2\x80\xa2 Reviewed Departmental orders, policies and procedures\n                    related to audit resolution and follow-up;\n\n                  \xe2\x80\xa2 Held discussions with Headquarters program officials\n                    regarding the audit resolution and follow-up process;\n\n                  \xe2\x80\xa2 Analyzed 32 Office of Inspector General (OIG) audit\n                    reports and associated recommendations from May 2007\n                    through August 2009 to determine if target closure dates\n                    were established and met;\n\n                  \xe2\x80\xa2 Reviewed Departmental Audit Report Tracking System\n                    data to determine status of selected OIG audit\n                    recommendations;\n\n                  \xe2\x80\xa2 Reviewed five judgmentally-selected OIG audit reports\n                    from April 2005 through August 2009 to determine\n                    whether corrective actions taken had addressed reported\n                    issues;\n\n                  \xe2\x80\xa2 Obtained October 2008 through October 2009 data files of\n                    active and terminated clearances from the Central\n                    Personnel Clearance Index (CPCI) system at Headquarters\n                    and the local site systems;\n\n\nPage 10                                  Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n\n                         \xe2\x80\xa2 Compared contractor provided listings of terminated\n                           employees to CPCI to determine the length of time it took\n                           to terminate the clearances in CPCI;\n\n                         \xe2\x80\xa2 Held discussions with Headquarters officials to gain an\n                           understanding of roles, responsibilities, and procedures\n                           concerning termination of security clearances;\n\n                         \xe2\x80\xa2 Held discussions with Headquarters and field site officials\n                           to gain an understanding of the controls in place to monitor\n                           publicly accessible Federal website development and\n                           postings; and,\n\n                         \xe2\x80\xa2 Reviewed performance related information to determine\n                           compliance with the Government Performance and Results\n                           Act of 1993.\n\n                    We conducted this performance audit in accordance with generally\n                    accepted Government auditing standards. Those standards require\n                    that we plan and perform the audit to obtain sufficient, appropriate\n                    evidence to provide a reasonable basis for our findings and\n                    conclusions based on our audit objective. We believe that\n                    evidence obtained provides a reasonable basis for our findings and\n                    conclusions based on our audit objective.\n\n                    Accordingly, we assessed the significant internal controls and\n                    performance measures established under the Government\n                    Performance and Results Act of 1993. While a performance\n                    measure for tracking target completion dates for each open audit\n                    recommendation had been established, no performance measures\n                    to track audit report closure or the effectiveness of corrective\n                    actions had been developed. Because our review was limited, it\n                    would not necessarily disclose all internal control deficiencies that\n                    may have existed at the time of our audit. We obtained and\n                    reviewed the computer processed data made available to us in\n                    order to achieve our audit objective. We validated the reliability of\n                    such data, to the extent necessary to satisfy our audit objective, by\n                    tracing it to source documents or other supporting information.\n\n                    Management waived an exit conference.\n\n\n\n\nPage 11                                         Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                 PRIOR AUDIT REPORTS\n\n\n  \xe2\x80\xa2   Follow-up Audit on Retention and Management of the Department of Energy\'s Electronic\n      Records (DOE/IG-0838, September 2010). The Department of Energy\'s (Department)\n      program to retain and dispose of its records inventory was not always operated efficiently\n      and effectively. Although officials reported that our prior audit findings had been\n      addressed, we continued to identify weaknesses with the Department\'s ability to retain\n      and manage electronic records. In particular, we noted that Department programs, the\n      National Nuclear Security Administration (NNSA), and field sites had not ensured that\n      electronic records, including e-mail, were identified, stored and disposed of properly.\n      Recommendations were to finalize and implement the updated Departmental policies and\n      guidance; utilize a central authority to help ensure a coordinated approach; ensure that the\n      identification, maintenance, and disposition of electronic records is managed through the\n      use of records management applications, in accordance with Federal and Department\n      requirements; and, develop and implement mandatory records management training.\n\n  \xe2\x80\xa2   Work for Others Performed by the Department of Energy for the Department of Defense\n      (DOE/IG-0829, October 2009). Because of the very nature of the Department of\n      Energy\'s (Department) management and operating contracting model, Work for Others\n      (WFO) projects may not always be technically compliant with Department of Defense\n      (DoD) procurement regulations. In particular, it was noted that the National Nuclear\n      Security Administration (NNSA) and its contractors had not adequately defined roles and\n      responsibilities of the Department and those of DoD customers on WFO technical\n      projects. Given the importance of the work products resulting from the collaborations\n      between the Department and DoD, the auditors concluded that identifying avenues to\n      improve these relationships would serve the national interest. The report identified\n      several opportunities to achieve this objective and improve management of the\n      Department\'s WFO process, which included ensuring that DoD customers are provided\n      with all appropriate cost and pricing information as requested by the DoD customer and\n      clarifying responsibilities for monitoring and control of WFO technical projects.\n\n  \xe2\x80\xa2   The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2009 (DOE/IG-0828, October\n      2009). The Department continued to make incremental improvements in its unclassified\n      cyber security program. The report disclosed that most sites had taken action to address\n      weaknesses previously identified in the Office of Inspector General Fiscal Year (FY)\n      2008 evaluation report. They improved certification and accreditation (C&A) of systems;\n      strengthened configuration management of networks and systems; performed\n      independent assessments; and, developed and/or refined certain policies and procedures.\n      However, the report also identified opportunities for improvements in areas such as\n      security planning and testing, systems inventory, access controls, and configuration\n      management at sites managed by NNSA and across various Department program\n      elements.\n\n  \xe2\x80\xa2   Management of the Department\'s Data Centers at Contractor Sites (DOE/IG-0803,\n      October 2008). Our review identified that the Department had not always taken\n\n\nPage 12                                                                           Prior Reports\n\x0cAppendix 2 (continued)\n\n      advantage of opportunities to improve the efficiency of its contractor data centers. These\n      data centers duplicated many of the functions or services provided by other co-located\n      centers and had not efficiently utilized hardware technologies. The Department officials\n      had not provided guidance or adequately communicated best practices to contractors and\n      field sites regarding opportunities to consolidate data centers and improve the efficiency\n      of information technology hardware and services. We estimated that the Department\n      could save over $2.3 million annually through the use of more efficient hardware\n      technologies that enable the consolidation of servers.\n\n  \xe2\x80\xa2   The Department\'s Unclassified Cyber Security Program - 2008 (DOE/IG-0801,\n      September 2008). The review identified opportunities for improvements in areas such as:\n      certification and accreditation of systems (C&A); systems inventory; contingency\n      planning; and, segregation of duties. Similar to past observations, these internal control\n      weaknesses existed, at least in part, because not all Department program organizations,\n      including NNSA, had revised and implemented policies incorporating Federal and\n      Departmental cyber security requirements in a timely manner. Program officials had also\n      not effectively performed management review activities essential for evaluating the\n      adequacy of cyber security performance. In some cases, officials had not ensured that\n      weaknesses discovered during audits and other examinations were recorded and tracked\n      to resolution. Risk of compromise to the Department\'s information and systems remained\n      higher than necessary.\n\n  \xe2\x80\xa2   Management of the Department\'s Publicly Accessible Websites (DOE/IG-0789, March\n      2008). The Department did not always ensure that it\'s publicly accessible websites were\n      secure and that key Federal requirements regarding website management were enforced.\n      The audit identified over 50 significant cyber security incidents in the last three FYs,\n      about half involving defacement of web pages, which could have been prevented had\n      proper security controls been in place. Also, content on publicly accessible web servers\n      was not always controlled and reviewed periodically, contributing to an additional eight\n      incidents which involved the exposure of personally identifiable information to\n      unauthorized or malicious sources.\n\n  \xe2\x80\xa2   Beryllium Surface Contamination at the Y-12 National Security Complex (DOE/IG-0783,\n      December 2007). We found that the Y-12 National Security Complex (Y-12) had not\n      consistently implemented key controls in non-beryllium operations areas as required by\n      its Prevention Program. Specifically, when surface contamination was found outside\n      beryllium operational areas, Y-12 had not always posted signs alerting workers to the\n      potential for beryllium surface contamination, and performed or documented hazard\n      assessments for beryllium contamination. Y-12\'s implementation of its Prevention\n      Program was hampered because the contractor did not track recommendations made by\n      its industrial hygienists to post contaminated areas and did not have a single repository of\n      beryllium information that could be used by management and workers to identify\n      contaminated locations. As a result of these control weaknesses, the Department and\n      Y-12 may not be doing all that is possible to minimize the risk of worker exposure to\n      beryllium in non-beryllium operations areas.\n\n\n\n\nPage 13                                                                           Prior Reports\n\x0cAppendix 2 (continued)\n\n  \xe2\x80\xa2   Selected Aspects of the East Tennessee Technology Park\'s Security Clearance Retention\n      Process (DOE/IG-0779, October 2007). Security clearances for terminated employees at\n      the East Tennessee Technology Park (ETTP) were inappropriately and unnecessarily held\n      active beyond the timeframe permitted under Department policy. Specifically, the\n      auditors identified 54 contractor or subcontractor employees who had been terminated\n      from ETTP for at least three months and whose clearances remained active. Most of the\n      employees were terminated through layoffs or involuntary reductions-in-force.\n      Additionally, 12 of the 54 employees maintained "Q" clearances, the highest level of\n      security clearance provided to Departmental employees.\n\n  \xe2\x80\xa2   The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2007 (DOE/IG-0776,\n      September 2007). Problems persisted with the (C&A) of Department systems related to\n      assessing risks and ensuring the adequacy of security controls. The Department had not\n      established a complex-wide inventory system and a number of organizations still had not\n      ensured their contingency plans were in working order. Additional deficiencies were\n      identified that reduced the Department\'s ability to protect its computer resources from\n      unauthorized actions, so the Department could not always ensure the personal\n      information on agency systems was adequately protected. Therefore, the risk of\n      compromise to the Department\'s information and systems remained higher than\n      acceptable.\n\n  \xe2\x80\xa2   National Nuclear Security Administration\'s Construction of a Radiological/Nuclear\n      Complex for Homeland Security, (DOE/IG-0775, September 2007). The Department of\n      Homeland Security (Homeland Security) entered into an interagency agreement with\n      NNSA\'s Nevada Site Office to construct the Radiological/Nuclear Countermeasures Test\n      and Evaluation Complex (Rad/Nuc CTEC). Homeland Security requested that the\n      project be fast-tracked so that construction at Nevada Test Site could begin before\n      building design was completed in order to have the project completed by February 2007.\n      The audit determined that management and coordination responsibilities between the\n      Department and Homeland Security were not clearly defined and the project was not\n      appropriately staffed. The audit concluded that experience with the Rad/Nuc CTEC\n      project provided important "lessons learned" for managing the Department\'s expanding\n      portfolio of WFO projects.\n\n  \xe2\x80\xa2   The Department\'s Audit Resolution and Follow-up Process (DOE/IG-0766, May 2007).\n      The Department had made significant improvements to many aspects of its follow-up\n      system. In particular, it had ensured that target closure dates were established for all\n      agreed-upon recommendations and, in most cases, audit recommendations were closed in\n      a timely manner. However, we found that, in some cases, agreed upon recommendations\n      had been closed, but corrective actions had either not been completed or were ineffective\n      because: (1) the Department had not given sufficient management attention to the audit\n      resolution and follow-up process; (2) corrective actions were not communicated to\n      applicable sites or subordinate organizations for implementation; (3) officials had not\n      verified that corrective actions were implemented or fully addressed previously issued\n\n\n\n\nPage 14                                                                        Prior Reports\n\x0cAppendix 2 (continued)\n\n      findings; or, (4) Departmental elements that had not been a party to the initial reviews\n      had not been examining audit report findings and recommendations to determine whether\n      actions needed to be taken to resolve similar issues in their organizations.\n\n  \xe2\x80\xa2   Quality Assurance Standards for the Integrated Control Network at the Hanford Site\'s\n      Waste Treatment Plant (DOE/IG-0764, May 2007). Our review found that the Waste\n      Treatment Plant control system did not meet applicable quality assurance standards.\n      Bechtel National failed to impose parallel requirements on the subcontractor which\n      supplied the control system. In addition, Environmental Management officials did not\n      adequately conduct necessary tests to ensure the control system for the integrated control\n      network at the Waste Treatment Plant met appropriate quality assurance standards. As a\n      result, the Department could not be sure the Plant\'s current system was suitable for\n      processing nuclear waste.\n\n  \xe2\x80\xa2   The Department of Energy\'s Management of Contractor Intergovernmental Personnel\n      and Change of Station Assignments (DOE/IG-0761, March 2007). The Department did\n      not have a system to determine the number and propriety of Intergovernmental Personnel\n      Act (IPA) and Change of Station (COS) assignments. We performed a detailed review of\n      77 such assignments and found that the Department was not actively ensuring that the\n      IPA and COS assignments were cost effective; operated in accordance with existing\n      procedures or good business practice; or, that taxpayer-provided funds supporting\n      IPA/COS assignments were put to the best possible use. We found that 31 of the 77\n      assignments had questionable components \xe2\x80\x93 the Department incurred about $11.3 million\n      for IPA & COS assignments which either exceeded the 4-year allowable maximum term\n      and/or had excessive relocation allowances.\n\n  \xe2\x80\xa2   The Retention and Management of the Department\'s Records (DOE/IG-0685, April\n      2005). The Department\'s program to retain and dispose of its records inventory was not\n      always operated efficiently and effectively. The Department had not adopted a\n      comprehensive records management program. Specifically, the Department had not\n      implemented a policy to meet National Archives and Records Administration\n      requirements governing records management nor had it placed sufficient management\n      emphasis on ensuring that records were adequately maintained. Recommendations were\n      to develop and finalize detailed policy, implement guidance to support complex-wide\n      records management policy, and ensure the senior records manager had sufficient\n      authority for leading, planning, and managing the Department\'s records management\n      program.\n\n\n\n\nPage 15                                                                          Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 16      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 17                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 18                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 19                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 20                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0840\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones (202) 586-7013.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                       http://www.ig.energy.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'